在不同的Tomcat中具有2个spring应用程序的SSO
[英]SSO with 2 spring applications in different Tomcats
问题描述
I have been asked to do an integration of our webapp into a 3rd party webapp 
我被要求将我们的网络应用程序集成到第三方网络应用程序中
- both have identical Spring security configurations 两者具有相同的Spring安全性配置
- the entry point will always be the 3rd party webapp 入口点将始终是第三方网络应用
- integration will be through IFrame unless there is a better way for SSO 除非有更好的SSO方法,否则将通过IFrame进行集成
So if you had both webapps in the same Tomcat instance from what I know you could enable the SSO widget and you'd get SSO across webapps but for a number of reasons we are running the webapps in their own Tomcat servers. 因此,如果根据我所知,两个Web应用程序都在同一个Tomcat实例中,则可以启用SSO小部件,并且可以跨Web应用程序获取SSO,但是由于多种原因,我们在自己的Tomcat服务器中运行Web应用程序。
I've used Jasig CAS before to manage SSO services, but because the main webapp is not designed or maintained by us and there is only one entry point, I'm looking for a less invasive way of managing authentication across the services. 我之前曾使用Jasig CAS来管理SSO服务,但是由于主要的Web应用不是由我们设计或维护的,并且只有一个切入点,因此,我正在寻找一种侵入性较小的方法来管理整个服务的身份验证。
Would a Cookie suffice of should I be looking at something else? Cookie是否足以满足我的需求?
1 个解决方案
解决方案1
0 2014-08-13 20:52:28
After thinking about it, I can see 3 main possibilities : 考虑一下之后,我可以看到3种主要可能性:
- move authentication to CAS on both application. 在两个应用程序上将身份验证移至CAS。 Pros : strong and validated solution,
CasAuthenticationProvidercan use the existingAuthenticationUserDetailsServiceto load roles, will allow to first authentication on any application based on this cas server (even if not a current requirement) - Cons : maybe a heavy configuration for only 2 applications优点:经过验证的强大解决方案, CasAuthenticationProvider可以使用现有的AuthenticationUserDetailsService加载角色,将允许在基于此cas服务器的任何应用程序上进行首次身份验证(即使不是当前要求)-缺点:可能仅用于2个应用程序的配置繁重 - use the session cookie of first application as a reference. 使用第一个应用程序的会话cookie作为参考。 If you can manage to get it on second app, you use a custom pre authenticated filter that get the cookie and asks userId from first app. 如果您可以设法在第二个应用程序上获取它,则可以使用自定义的预身份验证过滤器,该过滤器获取Cookie并从第一个应用程序询问userId。 Pros : provided there is one page where you can get the userId (user name or ...) in first app, you have nothing to change in it - Cons : you may have to put a common reverse proxy before the 2 apps to make them seem to come form same server to be able to get the cookie in second app, looks like a man in the middle attack, may require a custom session cookie for second app 优点:如果有一个页面可以在第一个应用程序中获取userId(用户名或...),则无需更改-缺点:在制作两个应用程序之前,您可能必须放置一个通用的反向代理他们似乎来自同一台服务器,以便能够在第二个应用程序中获取cookie,看起来像是在中间攻击中的人,可能需要第二个应用程序的自定义会话cookie
- add a custom filter on first app that sets a custom cookie containing a token, and retrievable by second app. 在第一个应用上添加一个自定义过滤器,以设置包含令牌的自定义Cookie,第二个应用可以对其进行检索。 The filter should also intercept an url and send back the userId when the token is submitted. 提交令牌后,过滤器还应拦截网址并发送回userId。 Then on second app add a custom pre-authenticated filter that just gets this token and asks userId to first filter. 然后在第二个应用程序上添加一个自定义的预认证过滤器,该过滤器仅获取此令牌并要求userId进行第一个过滤器。 Pros : adds a simple filter in first application with little interaction with the remaining of the app, seem reasonably simple and robust - Cons : Needs custom filters on both applications and because of that extensive testing 优点:在第一个应用程序中添加了一个简单的过滤器,与其余应用程序之间几乎没有交互,看起来相当简单且健壮-缺点:由于这两个应用程序都经过大量测试,因此两个应用程序都需要自定义过滤器
I would advice you to consider the 1st or 3rd solution, even if they require slight modification of spring security on a 3rd party application, because the 2nd sounds really a dirty hack 我建议您考虑第一种或第三种解决方案,即使它们需要在第三者应用程序上对Spring安全性进行一些修改,因为第二种听起来确实很脏
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.